Menu

Menu

Menu

Featured

PwC Malta Annual Review 2025

Have you subscribed to our latest Thought leadership?

Discover Life at PwC

Menu

Featured

Student Opportunities at PwC Malta

Our People at PwC

Explore Life at PwC

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Featured

PwC Malta Annual Review 2025

PwC Malta’s Economic Outlook

PwC Malta Press Room

Loading Results

Changes to the internal governance guidelines for banks

Changes to the internal governance guidelines for banks
  • Publication
  • 5 minute read
  • September 24, 2025

On 7 August 2025, the European Banking Authority (EBA) published a consultation on its revised guidelines on internal governance, aligning them with the updated requirements introduced by CRD VI in January 2025. The proposed changes strengthen governance structures across EU institutions by introducing clearer role definitions, enhanced risk oversight, and improved accountability mechanisms.

Board composition

The EBA has reinforced the principle that the Chair of the management body is to be a non-executive director, while the CEO of an institution is now expressly prohibited from carrying out the role of Chair.

Moreover, institutions are expected to implement conflict of interest mitigation measures in situations where a former CEO transitions into a non-executive role, including Chair of the supervisory function, without a cooling-off period of at least three years. This should include:

  • allowing other board members to request abstention from voting on sensitive items;

  • prohibiting participation in discussions or votes related to evaluations of their own past performance or decisions on remuneration for their previous executive role; and

  • requiring the former CEO to recuse themselves from discussions involving matters where a significant professional conflict of interest has been identified.

Similar measures when any former executive transitions into a supervisory role without adequate cooling-off period is also encouraged. Additionally, the Chair of the supervisory function of a parent entity’s management body should not be held by the CEO of a subsidiary is clarified, thus reinforcing the separation of governance layers.

In addition, the guidelines require institutions to give further consideration when combining the roles of risk management and compliance under a single senior individual. This may be permitted where justified by the institution’s nature, scale and complexity, but the institution must demonstrate that appointing separate individuals is not warranted. The individual must meet suitability, expertise and time commitment criteria for both functions, and the decision to combine these roles must be formally documented.

Gender balanced composition

The guidelines incorporate findings from the EBA’s benchmarking report on diversity practices, emphasising the need for institutions to adopt gender-neutral remuneration frameworks. This means that pay structures, incentives and performance assessments must be designed and implemented in a way that avoids gender bias and promoted fairness across all roles and levels of seniority.

Specific KPIs have also been proposed by the EBA in order to monitor the representation and equal treatment of staff of different genders. Such KPIs include the representation of genders across various management roles (such as management body, board committees), days of training received by gender, and staff turnover by gender. While not representing a binding or exhaustive list of KPIs, banks are expected to refer to such KPIs when determining their approach to managing staff. 

Governance mapping

A structured obligation for institutions to maintain a comprehensive and accurate mapping of duties within a single document or repository has been introduced. Institutions must maintain a single, centralised document that clearly outlines reporting lines, responsibilities, and roles across both management and supervisory functions. This mapping must be:

  • Prepared at both entity and consolidated group levels. 

  • Updated regularly and approved by the management body.

  • Aligned with individual role statements and governance structures. 

To ensure alignment with regulatory expectations, the mapping must correspond with individual role statements, that must be prepared for all members of the Management Board, Senior Management and key function holders. The purpose of this exercise is to highlight any governance gaps and reflect the institution’s structure and operational complexity. At a minimum, the mapping is expected to include detailed descriptions of business areas, internal control functions, decision-making processes, committee interactions, shared roles and outsourced responsibilities. The mapping of functions is expected to be conducted by the institution at both entity and group-wide level. Institutions must ensure that the duty mapping is readily available to all relevant stakeholders and can be provided to supervisory authorities upon request.

Incorporation of additional EBA guidance

The updated guidelines also integrate references to other new guidelines and requirements spanning additional topics such as ESG, third-party risk management and third-country branches. A short summary of the key points to be considered for each topic is provided below: 

Several amendments have been made to the guidelines in the wider context of the changes to the outsourcing guidelines (which are being replaced by the new guidelines on sound management of third-party risk). This new framework reflects the growing complexity and reliance on external service providers and aligns closely with the Digital Operational Resilience Act (DORA).

DORA, came into force to bolster the digital resilience of financial entities, introduced stringent requirements for managing ICT-related third-party risks. However, until now, non-ICT third-party arrangements such as legal, HR or business process services were governed under a separate, less harmonised framework. The EBA’s new guidelines aim to bridge this gap, ensuring that non-ICT services are subject to governance standards comparable to those under DORA.

Under CRD VI, the EBA has introduced a more risk-sensitive approach to the regulation of TCBs, ensuring that governance expectations are consistent with those applied to EU-based credit institutions.

For third-country branches (TCBs), CRD VI introduces a classification system: 

  • Class 1 Branches exceeding €5 billion in assets or €50 million in retail deposits, of failing to meet the definition of a Qualifying TCB.

  • Class 2 branches are those that fall below these thresholds or meet the criteria for a qualifying TCB. 

Class 1 branches are subject to stricter regulatory requirements, including more granular reporting obligations and higher capital and liquidity standards. However, both classes are expected to uphold equivalent internal governance and remuneration frameworks to those of EU-based institutions.

The following governance and remuneration standards equivalent to EU-based institutions must be adhered to by both classes of TCBs: 

  • Clear organisational structures

  • Effective risk and ESG management 

  • Gender-neutral remuneration policies

  • Robust internal controls and IT systems 

Branches must also actively manage outsourcing arrangements and ensure that supervisory authorities have full access to relevant documentation and data. In cases involving back-to-back booking, branches must demonstrate sufficient capacity to manage counterparty credit risk and CVA risk effectively.

Two locally based individuals with sufficient expertise and time commitments, approved by the competent authority must be appointed by the TCB. Class 1 branches and Class 2 branches deemed sufficiently complex, must also appoint heads of internal controls functions, with removal subject to supervisory approval. 

As part of its alignment with the EBA guidelines on the management of ESG risks, the consultation paper introduces a new requirement for institutions to integrate ESG risks into their risk management framework across short, medium and long-term horizons (extending to at least 10 years). This long-term perspective is intended to support strategic planning and decision-making, while the short- and medium-term horizons demand more granular and data driven approaches. Additional detail on how ESG factors should be incorporated into the institution’s risk management framework can be found within the EBA guidelines on the management of ESG risks.

Implications and implementation challenges

Taken together, these governance reforms will require institutions to develop a coordinated implementation strategy that spans legal, compliance, HR, IT and risk functions. The changes are not isolated as they intersect with broader regulatory developments such as CRR III, DORA, and ESG risk management guidelines. Banks are encouraged to give due consideration to their internal governance structures, reporting lines and relevant policies, in order to identify any gaps which need to be addressed.

Contact us

Norbert Paul Vella

Norbert Paul Vella

Assurance Partner, PwC Malta

Tel: +356 9945 3843

Email
Braden Sammut

Braden Sammut

Senior Manager, Assurance, PwC Malta

Tel: +356 2564 2658

Email
Gaetano Gesualdi

Gaetano Gesualdi

Manager, Assurance, PwC Malta

Tel: +356 7973 9071

Email
Follow us

© 2019 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.